Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules ignored or overridden?

    Scheduled Pinned Locked Moved Firewalling
    46 Posts 4 Posters 11.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by

      If you have a any any rule and your seeing blocks, to some specific IP with anything other than Syn as your flag - then yeah you either have out of state traffic from like a cell phone or wifi or something that was in standby mode for a long time.  Or as mentioned a asymmetrical routing issue.

      Why don't you draw up your network so we can take a look see.  You for sure should not have to set sloppy state on your rules.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • D Offline
        deadbolt_forum
        last edited by

        "statetype" = "sloppy state" did not resolve the issue.  I guess I didn't wait long enough for the error to recur last night.  I am still having the same problem with 993 packets showing up as blocked in the log.

        Network diagram couldn't be simpler.
        ISP -> Modem -> Pfsense -> Workstation

        1 Reply Last reply Reply Quote 0
        • D Offline
          deadbolt_forum
          last edited by

          Since the service is email which get polled periodically, perhaps the sessions go stale between polling the service for new emails.  If I set the rule with a really high state timeout does anyone think that will solve the issue?

          In System -> Advanced -> Firewall & NAT -> Firewall Optimization Options = Normal.  Perhaps this causing sessions to be closed too early.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            No. The default settings should be fine.  What are the "Various flags" you're seeing on TCP.

            If it's not just plain```
            [s] you are seeing likely out-of-state traffic which should be harmless.

            Is anything actually not working or are you just looking at the logs?

            https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection[/s]

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D Offline
              deadbolt_forum
              last edited by

              Recent flags include the following sets: PA, RA, R, A, FA

              Also, 6min of traffic is enough to completely fill the last 50 entries visible in the system logs making it hard to see any other traffic.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Did you read that doc link?

                Then filter on the information you're looking for.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D Offline
                  deadbolt_forum
                  last edited by

                  I just read that doc link.  I have no clustering or load balancing and no multi-WAN.  Also, there are no gateways set on the LAN interface settings.  If Asymmetric Routing is occurring then it must be on Comcast's backend network since my computer only has a single routable path to the Internet.

                  As per the manual fix in that document, I have reenabled "State Type" = "sloppy state" and this time added "TCP flags" = "Any flags".  Also, I added the same rule on the LAN in the outbound direction using a floating rule.  It will take a couple of hours to collect enough traffic to know if this solution works or not.  I will report back once I know for sure.

                  Thanks for the helpful suggestions.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    The top section. If the other sections are N/A, they're N/A.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Not sure what your doing but if this is what you have
                      ISP -> Modem -> Pfsense -> Workstation

                      I really don't see how its possible you could have asymmetrical routing.  Unless you have wifi and wired connected on your workstation at the same time.  you for sure should not have to set any sort of sloppy states on any rules.

                      Did you read the link about legit traffic blocked in the logs Derelict provided?  Can you post up a sample of what your seeing via a screenshot not some ascii art.

                      You know you can increase the number of logs displayed in the log in the gui, you can also go to the actual files.  What exactly are you seeing blocked.  Badly written code that doesn't send keep alives and doesn't talk for hours and then tries to continue the conversation could cause out of state blocks.  Because the firewall will after a specific time not seeing any traffic on a specific state will close that state.  If it then sees traffic it would be blocked for being out of state.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        deadbolt_forum
                        last edited by

                        I understand that legitimate traffic will be blocked and usually I see that in the logs as a few orphan packets coming in when a session has ended or expired.  What I don't expect to see is over 50 blocked packets every 11min completely filling up my logs and making logging useless.  Either these packets should be dropped silently or better yet the appropriate rule should be identified to pass the traffic through.  I have included a screenshot of the System Log Firewall page.  Due to the length of the scrollable page it took three images.  Also, I have redacted my public IP for privacy.

                        1.png
                        1.png_thumb
                        2.png
                        2.png_thumb
                        3.png
                        3.png_thumb

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          Lots of blocks outbound on WAN? What did you do in floating rules?

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            deadbolt_forum
                            last edited by

                            According to the logs, the rules causing the blocks are as follows:

                            The rule that triggered this action is:
                            @8(1000000106) block drop out log inet6 all label "Default deny rule IPv6"

                            AND

                            The rule that triggered this action is:
                            @5(1000000103) block drop in log inet all label "Default deny rule IPv4"

                            There are no floating rules except for some VOIP QoS rules created by the Traffic Shaper wizard which are completely unrelated.  I removed the previous floating rule because I think we can all agree that this is not an Asymmetric Routing issue.  The previous rule I created was the one listed in the document that was linked to which said to create a floating rule on the LAN for outbound traffic for IPv4 TCP 993 traffic with ANY flags and Sloppy State.  I have also reverted the pass rule on the LAN for TCP 993 so that the advanced option ANY flags is removed and Sloppy State is back to keep.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD Offline
                              Derelict LAYER 8 Netgate
                              last edited by

                              If you think those are log spam, go to Status > System Logs, Settings tab and uncheck Log firewall default blocks.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                deadbolt_forum
                                last edited by

                                While I agree that disabling logging of the default rule would remove these packets from the log, that doesn't really help.  I would like to be able to see what packets are being blocked by the firewall and hiding all blocked packets just to get rid of the ones from port 993 is overkill.  If the solution is to hide these packets from the log instead of passing them through the firewall, then I would want to create a more specific block rule that only matched these packets with no logging so that I could continue to see packets blocked by the default rule.

                                1 Reply Last reply Reply Quote 0
                                • DerelictD Offline
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Your IMAP client is trying to use a connection after the state has been deleted for inactivity or it is otherwise misbehaving.

                                  What isn't working other than the logs you are seeing?

                                  The default timeout for an established TCP state is:

                                  tcp.established          86400s

                                  One whole day. With zero activity.

                                  Not sure how long you think the states should be kept around but feel free to adjust that.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • D Offline
                                    deadbolt_forum
                                    last edited by

                                    I'm fine with 1day but I suspect that sessions are closed after 1hr or less.

                                    Where do you see that setting?  I do not see an entry for tcp.established in /tmp/rules.debug.  Also, is that the default setting when "Firewall Optimization Options" = Normal?  Or is that for a different setting like conservative?

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD Offline
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      That is the setting for Normal.

                                      This is an existing IMAP state for my mail client:

                                      igb0_vlan223 tcp 192.0.2.96:143 <- 192.168.223.6:52466      ESTABLISHED:ESTABLISHED
                                        [3857059653 + 131008] wscale 1  [3105376859 + 66608] wscale 5
                                        age 94:39:32, expires in 23:59:54, 64046:44625 pkts, 11286281:32760196 bytes, rule 283
                                        id: 00000000585fc42a creatorid: 5297d028
                                      igb1 tcp 192.51.100.226:13887 (192.168.223.6:52466) -> 192.0.2.96:143      ESTABLISHED:ESTABLISHED
                                        [3105376859 + 66608] wscale 5  [3857059653 + 131008] wscale 1
                                        age 94:39:32, expires in 23:59:54, 64046:44625 pkts, 11286281:32760196 bytes, rule 211

                                      You can get the same thing with:

                                      pfctl -vvss | grep -a2 mailserverip:993

                                      Existing state timeouts:

                                      pfctl -st

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        deadbolt_forum
                                        last edited by

                                        Immediately after seeing blocked packets in the log, I search for the server that was blocked using the command you provided.
                                        pfctl -vvss | grep -a2 207.46.10.10:993

                                        igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65410      TIME_WAIT:TIME_WAIT
                                          [1970684899 + 130688] wscale 0  [2546679215 + 5346] wscale 5
                                          age 00:03:58, expires in 00:00:10, 24:19 pkts, 2348:5296 bytes, rule 143
                                          id: 010000005822dc19 creatorid: fe76c013
                                        igb0 tcp X.X.X.X:46700 (192.168.1.40:65410) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
                                          [2546679215 + 5346] wscale 5  [1970684899 + 130688] wscale 0
                                          age 00:03:58, expires in 00:00:10, 24:19 pkts, 2348:5296 bytes, rule 88
                                          id: 010000005822dc1a creatorid: fe76c013
                                        igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65412      TIME_WAIT:TIME_WAIT
                                          [3526826672 + 130731] wscale 0  [4281023330 + 5256] wscale 5
                                          age 00:03:58, expires in 00:00:08, 21:16 pkts, 2102:4714 bytes, rule 143
                                          id: 010000005822dc1b creatorid: fe76c013
                                        igb0 tcp X.X.X.X:39701 (192.168.1.40:65412) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
                                          [4281023330 + 5256] wscale 5  [3526826672 + 130731] wscale 0
                                          age 00:03:58, expires in 00:00:08, 21:16 pkts, 2102:4714 bytes, rule 88
                                        –
                                          age 00:07:20, expires in 23:52:41, 9:9 pkts, 1607:1079 bytes, rule 87
                                          id: 0000000058236060 creatorid: fe76c013
                                        igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65411      TIME_WAIT:TIME_WAIT
                                          [3710722489 + 129846] wscale 0  [766408712 + 5526] wscale 5
                                          age 00:03:58, expires in 00:00:07, 27:22 pkts, 2684:6934 bytes, rule 143
                                          id: 00000000582360ae creatorid: fe76c013
                                        igb0 tcp X.X.X.X:13185 (192.168.1.40:65411) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
                                          [766408712 + 5526] wscale 5  [3710722489 + 129846] wscale 0
                                          age 00:03:58, expires in 00:00:07, 27:22 pkts, 2684:6934 bytes, rule 88
                                          id: 00000000582360af creatorid: fe76c013
                                        igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65413      TIME_WAIT:TIME_WAIT
                                          [2772107354 + 130731] wscale 0  [1219956310 + 5256] wscale 5
                                          age 00:03:58, expires in 00:00:11, 21:16 pkts, 2102:4714 bytes, rule 143
                                          id: 00000000582360b0 creatorid: fe76c013
                                        igb0 tcp X.X.X.X:49628 (192.168.1.40:65413) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
                                          [1219956310 + 5256] wscale 5  [2772107354 + 130731] wscale 0
                                          age 00:03:58, expires in 00:00:11, 21:16 pkts, 2102:4714 bytes, rule 88
                                        –
                                          age 00:02:10, expires in 00:00:07, 11:10 pkts, 1193:1059 bytes, rule 88
                                          id: 00000000582360d3 creatorid: fe76c013
                                        igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65417      ESTABLISHED:ESTABLISHED
                                          [3804055570 + 130731] wscale 0  [4282722200 + 5256] wscale 5
                                          age 00:02:02, expires in 23:58:01, 21:16 pkts, 2102:4726 bytes, rule 143
                                          id: 00000000582360d6 creatorid: fe76c013
                                        igb0 tcp X.X.X.X:31046 (192.168.1.40:65417) -> 207.46.10.10:993      ESTABLISHED:ESTABLISHED
                                          [4282722200 + 5256] wscale 5  [3804055570 + 130731] wscale 0
                                          age 00:02:02, expires in 23:58:01, 21:16 pkts, 2102:4726 bytes, rule 88

                                        The established connections have the expected 24hr session time.  The waiting connections have about 4min.  Several minutes later if I check the state again with the command, all of the sessions are closed except for a few sessions about to time out.

                                        igb1 tcp 207.46.10.10:993 <- 192.168.1.40:65417      TIME_WAIT:TIME_WAIT
                                          [3804055570 + 130731] wscale 0  [4282722200 + 5256] wscale 5
                                          age 00:03:59, expires in 00:00:05, 21:17 pkts, 2102:4766 bytes, rule 143
                                          id: 00000000582360d6 creatorid: fe76c013
                                        igb0 tcp X.X.X.X:31046 (192.168.1.40:65417) -> 207.46.10.10:993      TIME_WAIT:TIME_WAIT
                                          [4282722200 + 5256] wscale 5  [3804055570 + 130731] wscale 0
                                          age 00:03:59, expires in 00:00:05, 21:17 pkts, 2102:4766 bytes, rule 88

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD Offline
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          There is no explanation but that your client or the server is closing them.

                                          You will have to packet capture to see what's actually happening.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • H Offline
                                            Harvy66
                                            last edited by

                                            There only two reason states get closed short of a reboot or someone killing them via PFSense management or custom package. Time out or a packet that tells the connection to end, RST or FIN. It seems the timeout is not the case. I could guess at what the issue is, but I wouldn't want to be wrong.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.